Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18WiMax SecurityIntroduction About WiMaxWiMax securitySecurity ArchitectureSecurity MechanismsVulnerabilitiesImprovementConclusionCourse: CSCI 5235 Computer SecurityInstructor: T. Andrew Yang Student Name: Truyen Van LeIntroduction About WiMaxWiMax: Worldwide interoperability for Microwave Access – IEEE802.16.Higher bandwidth, larger coverage, and greater number of users.WiMax actually can provide two forms of wireless service: none-line-of-sight and line-of-sight.WiMax system includes two main parts WiMax receiver and WiMax tower.WiMax SecurityThe transition from Line of Sight (LOS) and Point to Multi Point (PMP) higher frequency (10-66 GHz) to lower frequencies (2- 11 GHz) and NLOS mobile systems the security issues increased tremendouslyWiMAX uses radio channels which are open channels and hence pose a very serious security problem for traffic confidentiality and integrityWiMAX uses air as a medium which exposes the PHY and MAC layersThe the large coverage area of WiMax adding more challenges to secure the connections when attackers is on the move.Security ArchitectureTwo main layers: Medium Access Control (MAC) layer and Physical layer (PHY).SAPs (Service Access Point) are interfacing points.Security ArchitectureConvergence layer: adapts units of data of higher level protocols to the MAC SDU format and vice versa.Common part: construct MAC PDUs, establish the connections, manage the bandwidth, and exchanges MAC SDUs. It is integrated tightly with the security sub-layer.Security ArchitectureSecurity layer: address authentication, authorization, encryption, and exchanges MAC PDUs with the physical layer.Security MechanismsAuthentication: RSA Authentication based on X.509 Certificates.EAP (Extensible Authentication Protocol)HMAC (Hashed Message Authentication Code)Security MechanismsAuthorization: Follow the authentication process. SS request AK along with SAID (Security Association ID).Authorization message includes SS's X.509 certificate, encryption algorithm, and cryptographic ID.After authorization, BS send back the SS a public key, a lifetime key and a SAID.Security MechanismsEncryption: Traffic Encryption Key (TEK) is used to encrypt the data trafficVulnerabilitiesAuthentication of the SS-Man-in-the-Middle and ForgerySS authenticates itself through its certificate, however, the BS does not .Rogue BS could place himself between SS and real BS and try to force SS to authenticate itself and initiate a session by transferring an AK (forgery attack).The attacker can generate his own Authorization Reply Message containing a self-generated AK and thus gain control over the communication of the attacked SS.VulnerabilitiesKey Material Exchange Phase-Attacks on the Key Sequence Number:After the authorization phase, the SS requests key material (TEKs), necessary for data encryption.It periodically sends Key Request Messages referring to one of its valid SAIDs.The BS replies with a Key Reply Message containing valid key material for the given SAID.One potential replay attack is possible due to the Key Sequence Number of the TEK, which has a length of only two Bits.This Sequence Number is part of the TEK parameter within the Key Reply Message.It is used in a circle buffer changing its values to the tiny range of 1 to 4.An attacker is able to capture TEK messages and replay them to gain information needed in order to decrypt data traffic.VulnerabilitiesReplay-and DoS-Attack against SS:The SS send Authentication Information Messages to transmit all relevant information to the BS.The BS responds to the last message with an Authorization Reply Message.The BS can fall victim to a replay attack by which the attacker intercepts an Authorization Request Message from an authorized SS and stores it.He will not be able to derive the AK from the Authorization Response Message (since he does not possess the associated private key), he can repeatedly send the message to the BS, burdening the BS with the effect that this declines the real/authentic SS.VulnerabilitiesPHY attack:Jamming: Attacker introduce a source of noise strong enough to significant reduce the capacity of channel. Scrambling:It is sort of jamming but for a short intervals of time. It is targeted to a specific frames or parts of frames. Scramblers can select what they want to scramble i.e. control information or management information to affect the normal operations of the network. Scrambling becomes a major problem when the network deals with time sensitive messages.ImprovementSS-Man-in-the-Middle and Forgery, Replay and DoS-AttackA countermeasure against Replay/DoS-Attacks is to furnish the Authorization Request Message with a time stamp together with a signature of the SS.These additional parameters, would guarantee message authenticity.The signature should use the private key of the SS in order to protect sensible information within this message.ImprovementKey Material Exchange Phase-Attacks on the Key Sequence NumberIncreasing the sequence number length so that a satisfactory amount of TEK Sequence Numbers can be generated and transmitted within the longest validity duration of the AK.Using 70 days as highest duration of an AK and 30 minutes for the smallest duration of a TEK , a Data SA could theoretically consume 3.360 TEKs over a complete AK- LifetimeConclusionAs the popularity of WiMAX increases, the threats are also increased.Malicious elements are working round the clock to break the security of the various networks.Researchers and engineers have to work tirelessly to come up with solid, robust and most important of all long lasting solutions to the problems relating to security.References[1] Yi Yang, and Rui Li, Toward Wimax Security. IEEE Xplore 2009. http://libproxy.uhcl.edu:2086/stamp/stamp.jsp?isnumber=5362501&arnumber=5362996&punumber=5362500[2] Syed Shabih Hasan, Mohammed Abdul Qadeer, Security Concerns in WiMAX. http://libproxy.uhcl.edu:2086/stamp/stamp.jsp?isnumber=5340254&arnumber=5340365&punumber=5338529[3]